html form field security?

knight13 · 06-25-2009, 09:22 PM

I know that any field you can write in is a security risk if you do not validate the info first, and it can hurt your database.

What i am wondering is their any security risk's with drop down menus, radio buttons or check boxes since they can not be written in only selected.

Village Idiot · 06-25-2009, 09:26 PM

Quote:

Originally Posted by knight13

I know that any field you can write in is a security risk if you do not validate the info first, and it can hurt your database.

What i am wondering is their any security risk's with drop down menus, radio buttons or check boxes since they can not be written in only selected.

Thats not technically true, they are passed in plain text via either GET or POST regardless of how the message is collected. All GET and POST data can easily be forged. HTML forms are just a way to gather the information before sending it.

If you use firefox, try a tool called Tamper to see how forms work.

knight13 · 06-25-2009, 09:40 PM

I downloaded what you said but what exactly do i do with it now?

Wildhoney · 06-25-2009, 09:42 PM

Although you see a radio box, or a check box, HTTP doesn't have a clue, nor care too much, what the object was beforehand. Whether it's a text box or a radio box, the data is still passed through in the format of key to value, whether it's GET or POST.

Here's a picture of my POST for this message:

Notice the POST data under the Cache-Control parameter, which is just a GET sent in the actual request.

knight13 · 06-25-2009, 09:50 PM

I have no idea what you mean.

So basically you are saying that select menus, radio buttons and checkboxes can be messed with?

If so how do they do it? and how do i protect against it?

Salathe · 06-25-2009, 09:55 PM

Quote:

Originally Posted by knight13

So basically you are saying that select menus, radio buttons and checkboxes can be messed with?

If so how do they do it? and how do i protect against it?

Absolutely, they can be messed with, missed out, etc. There's absolutely no requirement for a form to even exist! Someone could write a (very simple!) PHP script to pretend they're submitting your form but with any values that they like (malicious or not).

How to protect against it? As you would any other user input. Filter it, validate it, etc..

Wildhoney · 06-25-2009, 09:57 PM

Every single HTML element is the same once you've submitted the data for that form. All you see when you see a radio box, or a check box, are elements that facilitate filling in forms, but a check box can quite easily contain any value. Whatever you specify in the value attribute.

html4strict Code:

<input type="checkbox" name="myCheckbox" value="This is a string in a check-box" />

And then try and submit that and see what you get on the other end.

knight13 · 06-25-2009, 10:10 PM

So i would do it like this then

html code

HTML Code:

<input type="checkbox" name="myCheckbox" value="This is a string in a check-box" />

validated code

PHP Code:


			
    if(isset($_POST['myCheckbox'])) {

    $check = $_POST['myCheckbox'];

    $check = mysql_real_escape_string($check);

    }

ryanmr · 06-26-2009, 06:12 PM

For a checkbox, you might be looking for it to send back true or false or maybe 1 or 0, so when validating the checkbox, you can check for those specific values and have your scripts main flow react based on those true/false values.
Here's some code to show what I mean.

php Code:

if ( isset($_POST["form_submitted"]) ) { // is the form submitted
    $checkbox = $_POST["the_checkbox"]; // get the value of the checkbox, it does not matter what it _could_ be
    $checkbox_state = false; // default to false
    switch ($checkbox) { // checking specific values here, true and false, always defaulting to false
        case "true":
            $checkbox_state = true;
            break;
        case "false":
            $checkbox_state = false;
            break;
        default:
            $checkbox_state = false;
    }
    
    
    // ... later in code somewhere ...
    
    if ( $checkbox_state == true) {
        // do some action
    } else {
        // don't do some action
    }
}

knight13 · 06-26-2009, 06:22 PM

Thanks ryanmr.

ryanmr · 06-26-2009, 06:28 PM

Glad I could help.

The code I posted had a switch statement in it and it was not nessesary. Here's a partial update, the same code, just with an if/else instead of a switch.

php Code:

$checkbox = $_POST["the_checkbox"]; // get the value of the checkbox, it does not matter what it _could_ be
    
    // A switch isn't needed there, a simple if/else is better.
    
    if ( $checkbox == "true" ) {
        $checkbox = true;
    } else {
        $checkbox = false;
    }

This now overwrites the original post value stored in $checkbox making for less variables and cleaner code.

knight13 · 06-26-2009, 06:50 PM

I like the second code better.